| Lookout Blog December 9, 2013
December 9, 2013
Over the past few months the Lookout security team has taken a closer look at a malware family we’ve labeled Mouabad, which gives third-parties control over user devices and enables malicious parties to defraud victims via premium rate SMS billing.
Recently, the team identified a new and particularly interesting variant of Mouabad, which we’ve dubbed MouaBad.p. For the first time (as far as Lookout has seen), remote attackers can now make phone calls (possibly to premium-rate numbers) without user intervention. This represents a significant jump in functionality compared to more common premium-rate fraud that relies on SMS functionality.
In addition to never-before-seen functionality, Mouabad.p is particularly sneaky and effective in its aim to avoid detection. For example, it waits to make its calls until a period of time after the screen turns off and the lock screen activates. Mouabad.p also end the calls it makes as soon as a user interacts with their device (e.g. unlocks it). However, this malware variant does not appear to have the ability to modify call logs so a discerning victim could uncover Mouabad.p’s dialing activity by checking their call histories. Like all members of the Mouabad family, Mouabad.p also allows remote attackers to send SMS messages and control various settings related to premium SMS billing.
Who Is Likely to Be Affected
The good news is that the risk of infection is low. Mouabad.p only works on Android versions older than 3.1 since apps won't start from intents (like “user_present”) in later Android versions and Mouabad.p does not have a launcher shortcut. Lookout detection volumes of Mouabad.p are low and restricted primarily to Chinese-speaking regions. Since premium-rate SMS and telephone calls rely on country specific phone numbers Mouabad.p will not function outside of targeted countries so there is no incentive for the attackers controlling it to allow it to spread outside these regions.
All Lookout users are protected from this threat.
What Makes Mouabad.p Noteworthy
In the world of mobile malware Mouabad.p is noteworthy because it can initiate a call without user intervention. In addition, MouaBad.p is specifically engineered to evade detection and deletion, concealing its background activities from users wherever possible and attempting to get privileged device access to make itself more difficult to remove. Mouabad.p and other trojans that can financially harm users and effectively hide themselves underscore the need for sophisticated mobile malware protection.
How It Works + Capabilities
To launch, MouaBad.p depends on hooks into the operating system (known as intents) that start the app each time the device boots and whenever the device unlocks. This enables the malware to function without a suspicious icon on the home screen that might otherwise alert the device owner to its presence - just one of several techniques employed by its authors to evade detection.
Mouabad.p is likely delivered via a “dropper” app that loads Mouabad.p in the background during its own installation process. Once installed and run, Mouabad.p begins to poll its configured C&C servers for commands, typically once every 8 hours.
MouaBad.p looks for the following commands from the C&C server:
The method Mouabad.p uses to make and end calls is unusual in that it uses reflection to access private methods in TelephonyManager to make and end calls (as opposed to the more common use of intents). The malware does not appear to have the ability to modify call history, leaving victims a rare opportunity to uncover malicious activity that is otherwise well concealed. The C&C server is currently down so the exact dialing targets are unknown, but targeting premium rate telephone numbers could offer the attackers an effective monetization strategy and would be a logical extension of the Mouabad family’s predilection for premium-rate fraud. In theory, this dialing functionality could also be used for other malicious purposes such as remotely spying on conversations within the vicinity of a device microphone, or simply running up a victim’s wireless bill.
How To Stay Safe